Agent Token Inspector
Decode and compare JWT tokens across 1st-party and 3rd-party agents
Broad scopes + bounded authority ($50K max trade)
Encoded JWTheader.payload.signature
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1lcmlkaWFuLWtleS0wMDEifQ.eyJpc3MiOiJodHRwczovL21lcmlkaWFuLXdlYWx0aC5hdXRoMC5jb20vIiwic3ViIjoiYWdlbnQ6bWVyaWRpYW4tYWktYWR2aXNvci0wMDEiLCJhdWQiOiJodHRwczovL2FwaS5tZXJpZGlhbndlYWx0aC5jb20iLCJhY3QiOnsic3ViIjoidXNlcjptYXJrLXZvbmctMTIzNDUifSwic2NvcGUiOiJyZWFkOnBvcnRmb2xpbyByZWFkOmhvbGRpbmdzIGV4ZWN1dGU6dHJhZGVzIHJlYWQ6dGF4X2RvY3VtZW50cyIsIm1heF90cmFkZV92YWx1ZSI6NTAwMDAsImlhdCI6MTcwOTUxMDQwMCwiZXhwIjoxNzA5NTI0MDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c_dGHkR9X7zWqJtTE1cFb8XoJ2ueP3nKBvWzQ
HeaderPayloadSignature
Decoded Header
{
"alg": "RS256",
"typ": "JWT",
"kid": "meridian-key-001"
}Token Lifetime
Issued at (iat)Mar 3, 2025 14:00 UTC
iatTTL: 3 hours 47 minexp
Session-length TTL. Longer-lived for 1st-party agents, but still bounded and revocable.
Decoded Payloadhover a claim for details
{
"iss": "https://meridian-wealth.auth0.com/",
"sub": "agent:meridian-ai-advisor-001",
"aud": "https://api.meridianwealth.com",
"act": {
"sub": "user:mark-vong-12345"
},"scope": "read:portfolio read:holdings execute:trades read:tax_documents",
"max_trade_value": 50000,
"iat": 1709510400,
"exp": 1709524000
}
MCP Tool Access4/7 tools
get_portfolio
get_holdings
execute_trade
get_tax_summary
get_balance
get_statements
get_transactions
Bounded Authority
$50,000per-trade limit
Enforced by Auth0 as a JWT custom claim. The MCP server rejects any trade exceeding this value -- regardless of what the agent's prompt says. This is infrastructure-level control, not prompt engineering.
Scope Comparison MatrixSame MCP server, different trust levels
| Scope | Meridian Advisor | Personal Assistant | Tax Agent |
|---|---|---|---|
| read:portfolio | |||
| read:holdings | |||
| execute:trades | |||
| read:tax_documents | |||
| read:portfolio_balance | |||
| read:statements | |||
| read:transaction_history |
Same MCP server, different trust levels.
Auth0 issues each agent a different token with scopes matching what the user consented to. Every token is short-lived, narrowly scoped, and independently revocable.